Trend Micro researchers have identified several malicious applications on the Google Play store that appear to be indicative of a botnet being in development. The applications masquerade as authentic voice messenger platforms. Researchers found that the applications contained automatic functionalities, and that applications and their malicious capabilities have been continuously added to since October 2018. Some of the features utilized by these applications consist of automatic pop-ups, fake surveys, and fraudulent advertisement clicks in addition to modular functions such as evolving evasion techniques and different infection actions. The threat actors behind this campaign tagged some of their samples “1.0” which causes researchers to assume assess that this may be a botnet in an early development phase.

Recommendation: As this story portrays, sometimes malicious applications make their way into legitimate mobile stores, therefore, all applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Furthermore, all applications, especially free versions, should only be downloaded from trusted vendors.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.